feat: add DBAL middleware to ensure proper role is used for all queries

Initially, we attempted to use the `wrapperClass` option to handle setting the database role. However, we encountered issues because DBAL checks for the exact `Connection` class type and not the interface, making it difficult to extend the `Connection` class as needed. We also considered overwriting the PgSQL-specific connection class (PDO variant) to set the role upon connection. Unfortunately, this was not an option because the class is declared as `final`, preventing us from extending it. The next potential solution was to use an `EventSubscriber` to set the role after the connection was established (using `postConnect`). However, this approach is already deprecated in our version of DBAL and completely removed in the next major release, rendering it unsuitable for us (maintainability). Ultimately, we implemented the `SET ROLE` functionality using DBAL's middleware. By wrapping the driver, and manually creating the `Connection` we can perform the `SET ROLE` query before the connection is used by the application. Runtime checks exist to ensure that the role for each database is defined. However, validation of the actual value is done by PostgreSQL itself (it will complain if the role does not exist). Co-Authored-By: Rink <[email protected]>
tomudding · Nov 2, 2024 · f80419f · f80419f
1 parent f2c4154
commit f80419f
Show file tree

Hide file tree

Showing 6 changed files with 142 additions and 0 deletions.
diff --git a/.env.dist b/.env.dist
@@ -7,11 +7,13 @@ DOCTRINE_DEFAULT_HOST=postgresql
 DOCTRINE_DEFAULT_PORT=5432
 DOCTRINE_DEFAULT_USER=gewisdb
 DOCTRINE_DEFAULT_PASSWORD=gewisdb
+DOCTRINE_DEFAULT_ROLE=gewisdb
 DOCTRINE_DEFAULT_DATABASE=gewisdb
 DOCTRINE_REPORT_HOST=postgresql
 DOCTRINE_REPORT_PORT=5432
 DOCTRINE_REPORT_USER=gewisdb
 DOCTRINE_REPORT_PASSWORD=gewisdb
+DOCTRINE_REPORT_ROLE=gewisdb
 DOCTRINE_REPORT_DATABASE=gewisdb_report
 
 # Laminas settings

diff --git a/config/autoload/doctrine.local.development.php.dist b/config/autoload/doctrine.local.development.php.dist
@@ -2,6 +2,7 @@
 
 declare(strict_types=1);
 
+use Application\Extensions\Doctrine\Middleware\SetRoleMiddleware;
 use Doctrine\DBAL\Driver\PDO\PgSQL\Driver as PgSQLDriver;
 use Doctrine\Persistence\Mapping\Driver\MappingDriverChain;
 
@@ -82,6 +83,9 @@ return [
                 // to use the default chained driver. The retrieved service name will
                 // be `doctrine.driver.$thisSetting`
                 'driver'            => 'orm_default',
+                'middlewares'       => [
+                    SetRoleMiddleware::class,
+                ],
 
                 // Generate proxies automatically (turn off for production)
                 'generate_proxies'  => true,
@@ -128,6 +132,9 @@ return [
                 // to use the default chained driver. The retrieved service name will
                 // be `doctrine.driver.$thisSetting`
                 'driver'            => 'orm_report',
+                'middlewares'       => [
+                    SetRoleMiddleware::class,
+                ],
 
                 // Generate proxies automatically (turn off for production)
                 'generate_proxies'  => true,

diff --git a/config/autoload/doctrine.local.production.php.dist b/config/autoload/doctrine.local.production.php.dist
@@ -2,6 +2,7 @@
 
 declare(strict_types=1);
 
+use Application\Extensions\Doctrine\Middleware\SetRoleMiddleware;
 use Doctrine\DBAL\Driver\PDO\PgSQL\Driver as PgSQLDriver;
 use Doctrine\Persistence\Mapping\Driver\MappingDriverChain;
 
@@ -82,6 +83,9 @@ return [
                 // to use the default chained driver. The retrieved service name will
                 // be `doctrine.driver.$thisSetting`
                 'driver'            => 'orm_default',
+                'middlewares'       => [
+                    SetRoleMiddleware::class,
+                ],
 
                 // Generate proxies automatically (turn off for production)
                 'generate_proxies'  => false,
@@ -128,6 +132,9 @@ return [
                 // to use the default chained driver. The retrieved service name will
                 // be `doctrine.driver.$thisSetting`
                 'driver'            => 'orm_report',
+                'middlewares'       => [
+                    SetRoleMiddleware::class,
+                ],
 
                 // Generate proxies automatically (turn off for production)
                 'generate_proxies'  => false,

diff --git a/module/Application/src/Extensions/Doctrine/Middleware/Driver.php b/module/Application/src/Extensions/Doctrine/Middleware/Driver.php
@@ -0,0 +1,47 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Application\Extensions\Doctrine\Middleware;
+
+use Doctrine\DBAL\Driver as DriverInterface;
+use Doctrine\DBAL\Driver\Connection as ConnectionInterface;
+use Doctrine\DBAL\Driver\Middleware\AbstractDriverMiddleware;
+use SensitiveParameter;
+
+use function implode;
+
+class Driver extends AbstractDriverMiddleware
+{
+    /**
+     * @param array<non-empty-string, non-empty-string> $roles
+     */
+    public function __construct(
+        DriverInterface $driver,
+        private readonly array $roles,
+        private readonly bool $isPgSQL,
+    ) {
+        parent::__construct($driver);
+    }
+
+    /**
+     * {@inheritDoc}
+     */
+    public function connect(
+        #[SensitiveParameter]
+        array $params,
+    ): ConnectionInterface {
+        $connection = parent::connect($params);
+
+        if (
+            $this->isPgSQL
+            && isset($params['host'], $params['port'], $params['dbname'])
+        ) {
+            $role = $this->roles[implode(':', [$params['host'], $params['port'], $params['dbname']])];
+
+            $connection->exec('SET ROLE ' . $connection->quote($role));
+        }
+
+        return $connection;
+    }
+}
diff --git a/module/Application/src/Extensions/Doctrine/Middleware/SetRoleMiddleware.php b/module/Application/src/Extensions/Doctrine/Middleware/SetRoleMiddleware.php
@@ -0,0 +1,75 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Application\Extensions\Doctrine\Middleware;
+
+use Doctrine\DBAL\Driver as DriverInterface;
+use Doctrine\DBAL\Driver\Middleware as MiddlewareInterface;
+use RuntimeException;
+
+use function getenv;
+use function implode;
+
+class SetRoleMiddleware implements MiddlewareInterface
+{
+    public function wrap(DriverInterface $driver): DriverInterface
+    {
+        $isPgSQL = $driver instanceof DriverInterface\PDO\PgSQL\Driver;
+        if (
+            !$isPgSQL
+            && !$driver instanceof DriverInterface\PDO\SQLite\Driver
+        ) {
+            throw new RuntimeException('Expected DBAL Driver to be PDO PgSQL/Sqlite, but got ' . $driver::class);
+        }
+
+        $roleDefaultHost = getenv('DOCTRINE_DEFAULT_HOST');
+        $roleDefaultPort = getenv('DOCTRINE_DEFAULT_PORT');
+        $roleDefaultDB   = getenv('DOCTRINE_DEFAULT_DATABASE');
+        $roleDefaultRole = getenv('DOCTRINE_DEFAULT_ROLE');
+
+        $roleReportHost = getenv('DOCTRINE_REPORT_HOST');
+        $roleReportPort = getenv('DOCTRINE_REPORT_PORT');
+        $roleReportDB   = getenv('DOCTRINE_REPORT_DATABASE');
+        $roleReportRole = getenv('DOCTRINE_REPORT_ROLE');
+
+        if (
+            false === $roleDefaultHost
+            || false === $roleDefaultPort
+            || false === $roleDefaultDB
+            || false === $roleDefaultRole
+        ) {
+            throw new RuntimeException('Required `DOCTRINE_DEFAULT_*` environment variables not set...');
+        }
+
+        if (
+            false === $roleReportHost
+            || false === $roleReportPort
+            || false === $roleReportDB
+            || false === $roleReportRole
+        ) {
+            throw new RuntimeException('Required `DOCTRINE_REPORT_*` environment variables not set...');
+        }
+
+        $roles = [
+            implode(
+                ':',
+                [
+                    $roleDefaultHost,
+                    $roleDefaultPort,
+                    $roleDefaultDB,
+                ],
+            ) => $roleDefaultRole,
+            implode(
+                ':',
+                [
+                    $roleReportHost,
+                    $roleReportPort,
+                    $roleReportDB,
+                ],
+            ) => $roleReportRole,
+        ];
+
+        return new Driver($driver, $roles, $isPgSQL);
+    }
+}
diff --git a/module/Application/src/Module.php b/module/Application/src/Module.php
@@ -4,6 +4,7 @@
 
 namespace Application;
 
+use Application\Extensions\Doctrine\Middleware\SetRoleMiddleware;
 use Application\Mapper\ConfigItem as ConfigItemMapper;
 use Application\Mapper\Factory\ConfigItemFactory as ConfigItemMapperFactory;
 use Application\Service\Config as ConfigService;
@@ -123,6 +124,9 @@ public function getConfig(): array
     public function getServiceConfig(): array
     {
         return [
+            'invokables' => [
+                SetRoleMiddleware::class => SetRoleMiddleware::class,
+            ],
             'factories' => [
                 ConfigItemMapper::class => ConfigItemMapperFactory::class,
                 ConfigService::class => ConfigServiceFactory::class,